137w ago - Following up on the recent PS3 C2D CEX to DEX Flash Patcher and PS3Tools GUI Edition v2.6, today I have released a CEX2DEX application that will allow you to extract the METLDR from ANY (NOR / NAND) PlayStation 3 flash dump and create a valid DEX (Debug / Test) flash from the given CEX (Retail) flash.

Can be used to create a valid DEX flash from any given CEX flash (NOR/NAND).

I will explain the two main options the program has.

Extract METLDR - This extracts the metldr from your flash dump so you can use this in the metldrpwn exploit and dump your root key. The dump file created by the metldrpwn exploit can then be loaded into the program (METLDR Dump).
CEX -> DEX - This creates a modified flash dump to convert your CEX into a DEX, the dump created can then be used to be flashed back to your PS3.

I assume you are getting those CMAC errors because you are attempting to use the extracted metldr as the metldr dump. These are two completely different files, the METLDR Dump is the dump file produced by the metldrpwn exploit. Could you show me part of your root key so I can get a better understanding of what you're actually loading.

Also, make it clear that the Extract METLDR function only extracts the METLDR Binary from the flash and DOES NOT dump the root key, linux is required for this!

Also, some insight on how I dumped/flashed my NAND.

Using Preloader Advance 3.1 (JFW is NOT required) I put my PS3 into service mode, put Lv2diag.self and the advance.cfg on a memory stick and put it into USB000 (far right slot). Powered the PS3 on and let it do its work.

Use my program to create a modified dump, put the dump on the memory stick and name it rflash.bin, make the previous setting (#Backup "rflash" to "/dev_usb000/Backuprflash.bin") to 0 and set this (look below) setting to 1 :

From aldostools on comparing CEX2DEX to the C2D application: If I understand it right, the major differences from this and andbey0nd's C2D.exe are that:

1- This tool supports NAND/NOR flash dumps of CEX, while C2D only supports NOR flash dump of CEX
2- This tool extracts the EID root key (per_console_key) directly from the metldrpwn. So it is not required to hex edit the metldr to extract the first 3 lines (48 bytes).

3- This tool does not require the Win32OpenSSL_Light installed

For the CEX dump, it is still necessary the glevand's dump_flash.pkg (aka USB Flash Dump.pkg I guess that 2 dumps are recommended to compare md5/sha-1 hashes and be sure that it's valid)

For the metldr dump, it is still necessary to have an OFW (<=3.15) or a CFW with dual boot support to boot linux (CFW355-OTHEROS++.PUP), then make and run metldrpwn to dump metldr and a flasher or a tool like JaiCrab's Preloader Advance v3.1 to flash the NOR DEX dump created by this tool. Am I right? or am I missing something ?

Put everything in the root of a USB device and install the PKG. Each application you start before returning to the XMB will make 3 beeps the console, if you do not hear these 3 beeps try again.

1. Run "Setup for OtherOS FLASH", turn the console back to the XMB and restart.
2. Start the "Install OtherOS" (the key with the file dtbImage.ps3.bin must be inserted).

Now connect a USB keyboard and a USB to the console and launched from the XMB "OtherOS Boot" and "Reboot". You'll find yourself in "Petitboot". Using the keyboard, select "Exit to shell" and press enter. Type the following commands:

Now insert the stick into your PC and extract the folder "metldrpwn" from the "metldrpwn.zip" in the root of the USB stick.
CEX2DEX Start, select your dump and click "Extract metldr", save the file as "metldr" folder "metldrpwn" on your USB stick.

Go back to your PS3, plug in the USB key and the CD with the iso burned previously. From the XMB start again "OtherOS Boot" and "Reboot". This time from Petitboot selected "Red Ribbon OTHEROS live" and wait for the upload. If you do not have a USB hub you unplug the keyboard and mouse to attack, click the first icon in the upper left -> Accessories -> Terminal. Reconnect the keyboard.

The system will shut down. Go back to your PC and start CEX2DEX, select new dump your flash and the file "dump" that will be on your USB stick, click CEX-> DEX, now you save a file, name it "flashDEX.bin" and save it in the root USB stick.

Return to the PS3, connect the USB stick and remove the CD. Start again "OtherOS Boot" and "Reboot" on Petitboot select "Exit to shell" and Type the following commands:

And place it in X: \ PS3 \ UPDATE \ PS3UPDAT.PUP (X: is your USB stick)

Turn on the console in recovery mode and select system update. Now you have a Debugging Station.

Finally, below is another PS3 CEX to DEX Guide with No Linux or Hardware Required by ChocoErased (via nextgenupdate.com/forums/playstation-3-exploits-hacks/572924-full-tutorial-cex-dex-no-linux-hardware-required.html):

This is a tutorial from start to finish on how to convert a CEX console to a DEX console. If you don't know what you're doing or need someone to explain what DEX is to you, you should probably leave now. Also, be warned - if you mess up anything in this tutorial, you risk bricking your console. Follow the instructions right and you should be fine.

Note: This conversion does not require the installation of Linux or any hardware modifications, but it is recommended you have an E3 flasher or similar device in case you do end up bricking your console.

1. Install the FactoryServiceMode pkg on your PS3 and use it to boot your PS3 into Factory Service Mode. When done, confirm your console is in service mode by turning it on and seeing if the red box is there in the lower right hand corner. Power down your PS3.

2. Take all the files from Preloader.zip and extract them onto the root of your USB stick. Rename "Lv2diag.self.flash" to "Lv2diag.self".

3. Eject your USB from your PC and place it in the rightmost USB port of your PS3 (your PS3 needs to be turned off). Once it is securely in place, turn on the console. Nothing is going to come up on the screen, and eventually the PS3 power LED will start blinking. DO NOT TURN OFF THE CONSOLE, it is dumping your NAND/NOR. Wait for it to power down itself.

4. Once your console turns itself off, remove the USB from your PS3 and plug it back into your PC. There will now be a file on it named "Backuprflash.bin" (Note: You may have to enable displaying of system files in order for it to be shown). This is your dump of your NOR/NAND - if your console is NOR, the filesize should be 16mb. If your console is NAND, it will be 256mb.

5. On your USB, rename "Lv2diag.self" back to "Lv2diag.self.flash" and then rename "Lv2diag.self.exit" to "Lv2diag.self". Place the USB in the rightmost USB port of your PS3 (turned off), then turn it on. It should turn itself off after a few seconds. When it turns off, remove your USB and boot the PS3. It should now be out of factory service mode.

6. Install the eEID_RKDumper on your PS3. Run it, and it should cause your console to blackscreen. It will reboot after a few seconds, just give it it's time and don't interrupt it (it is dumping your root key). Once it reboots, proceed to the next step.

7. Use a filemanager or FTP server to retrieve your root key dump from your PS3 - it is located at dev_hdd0/tmp/eid_root_key. It should be 256kb. Get it onto your USB, it should be in the same directory as your Backuprflash.bin. Rename it to "dump" (no file extension).

9. Start up CEX2DEX again on your PC. For the NOR/NAND flash dump, select your Backuprflash.bin. For the METLDR dump, select your rootkey (file named "dump"). Click on CEX -> DEX, and when it prompts you save the new file as "rflash.bin" and put it onto the root of your USB stick. Your NOR/NAND dump is now fully converted to DEX, all that is left is to flash it back onto your PS3. The filesize for rflash.bin should be 16mb for NOR consoles and 256mb for NAND consoles.

10. On your PS3, use FactoryServiceMode Tool to boot into Factory Service Mode again. On your USB, rename "Lv2diag.self" to "Lv2diag.self.exit" and rename "Lv2diag.flash.self" to "Lv2diag.self". Delete the advance.cfg file from the USB, and put this one onto the root of it: advance.cfg

11. Make sure your PS3 is fully powered off, then plug your USB into the rightmost USB port. Turn on the PS3, and it will begin writing to your NAND/NOR. DO NOT TURN OFF THE PS3!!! If you do, it is a guaranteed brick. Just leave it alone until the PS3 turns itself off, it may take 15 minutes or more. Don't worry if it's taking too long, mine took about 40 minutes to write completely. Once your PS3 has powered itself off continue to the next step.

12. On your USB, rename "Lv2diag.self" back to "Lv2diag.self.flash" and then rename "Lv2diag.self.exit" to "Lv2diag.self". Place the USB in the rightmost USB port of your PS3 (turned off), then turn it on. It should turn itself off after a few seconds. When it turns off, remove your USB and boot the PS3. It should now be out of factory service mode. Congratulations, you are now ready to install DEX firmware. I would recommend downloading and installing this debug firmware, from there you can go to 4.20 debug or whatever other version you want.

Important Notes:

Once you convert to DEX, your console can no longer access the Playstation Network. Your IDPS becomes invalid.

You cannot data transfer from a DEX console to a CEX console.

If you choose to install a debug update of version 3.56 or higher, Peek & Poke will be disabled. This will make certain homebrew applications no longer work.

Most PKGs and homebrew applications will have to be resigned as debug files before they can be installed/run on DEX firmwares above 3.55.

I hope this makes the whole process of converting from CEX to DEX easier for some of you. Remember, this is NOT something that the average jailbroken PS3 owner should undertake. Have fun and be safe.

I love how many devs whine that it destroyed the ps3's hacking future. Please cut the bs, everybody knows that you kept it to yourself in order to enjoy the high fw privileges. If you were going to hack your way through the l0 and the keys you would have done it a long time ago... Higher versions only have more layers of protection.

By releasing this method Sony now knows how to fix it for the upcoming DEX FW. That was not without a reason why devs not made public this method!!! For devs with converted consoles it will be a massive hit in the face in the future!!!

Cheers for sharing this AnoRelease, I have now promoted the news to the main page as well.

I'm sure many PlayStation 3 developers will make good use of it, although I bet the passes included in the new PS3 SDKs (which CJPC mentioned they used to have in the 1.00 days) to access SP-INT will be watermarked per developer studio similar to the low level hardware docs that aren't included in most of the public leaks.

technodon, have a look here mate from Rnd: wiki.gitbrew.org/wikibrew/Metldrpwn

Metldrpwn

Dear all,

Many of you may have heard about Metldrpwn which allows to obtain Perconsole Key set.

I bet some of you have not gone for it because of many things to install and do, like linux and etc.

Well, since now, you won't have to do all that, the only thing you will need to have/install is Otheros (Petitboot) and that's it, the image of the FULL LINUX distro with glevand's kernel patches and all is in this tutorial.

So, let me tell what you have to do in order to pwn your metldr and get you perconsole keys faster:

1. Install Petitboot

Only these steps from the orginial glevand's tutorial are needed:

1. Install my latest CFW (gitbrew.org/~glevand/ps3/cfw/)
2. When installation is finished, reboot in Recovery Mode (not the Backup/Restore in XMB) and choose "Restore PS3 System"
3. Now your GameOS should use only the half of your HDD (Currently working on a better approach)
4. Run setup_flash_for_otheros.pkg (gitbrew.org/~glevand/ps3/pkgs/setup_flash_for_otheros.pkg - for all PS3 models)
5. Reboot (It's important to shut down and turn on your PS3)
6. Store dtbImage.ps3.bin (gitbrew.org/~glevand/ps3/petitboot/dtbImage.ps3.bin) on USB drive, plug it in and run install_otheros.pkg (gitbrew.org/~glevand/ps3/pkgs/install_otheros.pkg - NAND owners should use dtbImage.ps3.bin.minimal, rename it to dtbImage.ps3.bin). Try different USB ports if you don't get any beeps.
7. Run boot_otheros.pkg (gitbrew.org/~glevand/ps3/pkgs/boot_otheros.pkg)
8. Run reboot.pkg (gitbrew.org/~glevand/ps3/pkgs/reboot.pkg - use the package, not manually reboot!)
9. You should be in petitboot now.

1. Download my distro of Linux (gitbrew.org/~rnd/Linux-2.6.39-Rnd.iso)
2. Unpack in the root of your USB stick/or burn the image to a DVD
3. Plug in your USB/Insert the disc in your PS3 and you should see 2 different boot options, boot the first one

now you have a copy in your home directory for safe keeping, congrats you've completed about < 10 mins of actual work.

there you go keys are in 0x00 to 0x20 (first 3 lines)

So now you get code execution on metldr at the best time possible because your code executes right after metldr copies the root keys from 0x00 to 0x30, which means you get to dump these too. (Although they are hardcoded in metldr's code anyway)

the first 2 lines are erk the 3rd is riv and together they are eid0 root key

btw this does not mean you get 3.60 keys etc or newer games but it will help you get some nifty things to do some new stuff.... also please be advised that if you are on 3.60+ you will need to downgrade with a flasher to do this, also if you have a unit that shipped from the factory with the metldr.2 (new metldr) your sol at the moment theres also a nifty program on the dev tools page (ps3devwiki.com/wiki/Dev_Tools) to turn your hex into key its called hex2key:

Hi Scene, Sorry for my bad English. I want to give you info you please make public. I want be anonymous. I only can say I'm from Hong Kong. I have way to get a DEX, it works and is complete nothing missing.

Manual to get a DEX (here is everything you needed) and you have a full working DEX:

If you dump they isoldr key (EID Root Key) with metldrpwn you got from 0x00 to 0x1F the EID Root Key and from 0x20 to 0x2F the EID Root IV

Use AES Encrypt to Encrypt EID0 Key Seed as data with EID Root Key as Key and EID Root IV as IV. The result contains from 0x10 to 0x20 the EID0IV and contains from 0x20 to 0x40 the EID0Key

Use AES Encrypt to Encrypt the EID0 Section Key Seed as data with the EID0Key as Key and no IV. The result will be the first 0x10 bytes of the EID0 First Section Key

The second 0x10 bytes of the EID0 First Section Key are only 0x00 bytes

EID0 is located in NAND at 0x80870 and in NOR at 0x2f070, the first 0x20 bytes of EID0 are not encrypted, at the fifth byte of EID0 (NOR example 0x2f075) your target ID is located change it to 0x82 (Debug Target ID)

Use AES Decrypt to decrypt the first EID0 Section (NOR example 0x2f090). The size of the first Section is 0xC0 bytes. Use the EID0 First Section Key as Key and the EID0 IV as IV

Build the CMAC (OMAC1) hash of the decrypted EID0 Section from 0x00 to 0xA8 with EID0 First Section Key as Key. The calculated hash has to be the same as the bytes in the decrypted EID0 Section from 0xA8 to 0xB8.

At 0x5 of the decrypted EID0 Section is your target id again change it to 0x82 again, 0xB8-0xC0 of the decrypted EID0 Section should be just 0x00 bytes

After you changed the target ID of the decrypted EID0 Section, create the CMAC hash of the new decrypted EID0 Section and write the new hash to the decrypted EID0 Section

Use AES Encrypt to encrypt the EID0 Section and write it back to the NOR (NAND).

HINT: Got Petitboot on emer init go to boot gameos and do emer init again to get to the recovery menu.

You can't login to the PSN because IDPS is obviously not valid from now on.

THIS CAN BRICK YOUR CONSOLE IF NOT DONE CORRECTLY.

有志者，事竟成 “Where a will, there is way”
一不做二不休 “You start something, you have to finish it”

Note: You don't need the second 0x00 eid0 first section key of all zeros. Also from an anonymous source (via bit.ly/M2Oz4Q and lnx.lu/5yD and multiupload.co.uk/TAG2B6G8ZL and multiupload.nl/TAG2B6G8ZL) comes CEX-DEX(2).7z and from the included ReadMe file, to quote:

From deank: It just generates the EID section that you have to overwrite in your flash - that was the whole point of all this. You have to use your data and get the region to rewrite on your own console to convert your retail PS3 (CEX) to debug/test unit (DEX). This modification to the EID allows you to install the Debug firmware and get a DEX.

From zecoxao: The problem with this is it's easily patchable... Sony will probably patch it on the next OFW... Original retail dump, flash back retail firmware, and that's it. This is basically switching back and forth from CEX to DEX by flashing DEX dump and DEX firmware and from DEX to CEX by flashing CEX dump and CEX firmware.

You can use flasher, linux or jaicrab's preloader (basically anything that flashes the dump)

Jaicrab's Preloader only works correctly on NOR's, you'll have problems with NAND's, or so I've tested (thanks to a friend of mine ) in case you need to compare:

Execute the self with a self loader such as MultiMAN (use mmOS to go to the stick and load the self there)

Wait 35 minutes for the console to stop blinking and shutdown with steady red light (THIS ONLY WORKS ON NORS. YOU HAVE BEEN WARNED!)

Confirm if it boots (alternatively, if you have QA, DEX doesn't have QA when you do the button combo, so you can test it)
flash 3.55 DEX firmware by recovery

PS: If I'm not dead by the next 24 hours, you know where to find me

Note: Don't flash this, this belongs to my console, so I advise you not to flash, this is just for verifying only.

From Squarepusher2: You'll have to go digging for debug eboots though if you intend on playing anything that is not a retail game on your debug PS3. And those are not easily found. I don't think end-users will get much use out of it - for devs it's a totally different story though.

Below is also a video from lordv demonstrating Battlefield 3 running on the DEX BD Emulator via USB, who states that games work fine from the BD EMU or BD-R disc (using PS3Gen) without a decrypted/Debug EBOOT. However, PS3 games won't run from DVDs in the newer DEX Firmware.

It also appears as though the newer PS3 SDKs will contain the necessary development tools and login information to access Sony's developer network (NP / SP-INT) as well:

The NP communication passphrase and signature will be provided within the Server Management Tools.

Details: NP communication ID, passphrase, and signature, required for certain PSN communication services, had been provided on the DevNet thread upon the completion of the requested PlayStation Network service configurations.

From 2012/07/05 the NP Communication Passphrase and Signature will be provided within the Server Management Tools.

This change affects all the communication IDs issued after 2012/07/05. It will not be possible to access the NP communication passphrase or signature in the support issued after that date.

Only those users who have initially requested the NP communication services and was provided the files on DevNet thread will have access to the file on the request threads.

Note that the NP communication passphrase and signature are required with NP Matching 2 and Title Small Storage.

From PlayStation 3: I have found a way to access SP-INT (or developer) PSN. Those who remember, this also worked a year ago until Sony had fixed it. It is now working again for existing users. Making a new account will not work, but existing users who have made SP-INT accounts last year when it had worked can sign in (for now).

Here is how to do it:

1) Install Rebug 3.55.2 CFW. Also install the latest update package (0.7)
2) Set it to Rebug mode in Rebug Selector. Set the Rebug Menu to #2.
3) Install SEN Enabler 4.21 to spoof the firmware to 4.21.
4) Go to Debug Settings and change NP environment to 'SP-INT'.
5) Reboot PS3.
6) The PS3 will attempt to sign in to your NP (retail) PSN account and it will give an error because your NP PSN will not work on developers PSN. Now you must sign in to your SP-INT account that you made last year. Making an new account will not work.

If anyone can somehow find a way to make an new account on SP-INT, please let us know. Thank you!

When metldr is encrypted at factory, a special keyset is set in the binary before encryption. Later when an isolated loader is loaded by metldr, it will copy the keyset to LS offset 0x00000. It consists of eid_root_key and eid_root_iv. To not having to use the same key for all eEID parts, several subkeys are generated from special data called individual information seed.

These seeds are stored in the metadata header of isolated modules loaded by isoldr. When isoldr will load a module, it will call a subroutine that encrypts each seed chunk (0x40 bytes) using eid_root_key and eid_root_iv. Then the so-called individual infos are passed in registers r7 to r22 (= 0x100 bytes in total) to the loaded module where they are used further.

Usually isolated modules have a seed section of 0x100 bytes but all of them (except sb_iso_spu_module) have all zeroes but the first 0x40 bytes chunk. You can, for example, find the recently published EID0 seed in the metadata section of aim_spu_module. Appliance info manager is used to get e.g. the target ID or the PSID from EID0. This explains why the seed can also be found in isoldr directly, since that one is checking EID0 too.

As you can probably think, a fair amount of reversing time and knowledge has gone into finding this, so stop calling us *swearwords* for not releasing information that could potentially lead to more piracy, because we think that this would do more harm to the “scene” than just keeping some information in private (for now).

Also I can only encourage everyone that thinks about us this way or is greedy demanding for developers/reverse engineers to release their stuff, to fire up isoldr in IDA or disassemble it with objdump and try to reverse all this from start to end. We’ll see, who is able to pull this through on his own...

From evilsperm (via ps3crunch.net/forum/threads/4023-Method?p=45195#post45195): Here is some code if you all want to flash from petitboot: This is to R/W entire NOR or just the eEID section. Make sure to take a valid dump from gameOS as well so you can match both dumps also if you have a hardware flasher I highly advise you do, check that dump against the soft dumps to make 100% sure

All working except for blu-ray/dvd's = not working obvious... GAMES works fine, shame on me for not having one, need to rent one.. can someone verify it needs blu-ray and/or .30 pup thx

From svenmullet: Use mathieulh's leaked tools to get the required info, then use the new leaked algos to change it to DEX, flash back using Objsuites/FSM. You don't need a flasher or linux to do this. And don't let anyone tell you different!

Remember CrashSeriousreleased a tool to decrypt/encrypt SIG files? Reverse what those SIG files in the math leak are doing.

Also, I recall theorizing that the serial number (yes, that sticker on the console) has something to do with PCK. All we need now is some brainiac to figure it all out (and release the info).

Actually to play PS3 3.60+ backups all you need to do is install an update for the game. Since DEX can't install retail PKG you have to downgrade to 3.55 DEX with peek and poke install the update and re upgrade.

Also ps3gen.exe will happily create image with the retail EBOOT, it just won't run because retail EBOOTs have the "run only from authenticated bd" capability flag; having installed an update for the game bypasses it.

From Lordv (via ps3devwiki.com/wiki/User_talk:Lordv) to quote:

Instead of having an edit war could we discuss it on irc? I can prove that what you write here are (un?)intentional lies.

1) What do you mean retail functionality? You can restore dvd playback and ps store to name a few by some sprx copying and xml editing. Just unpack a dex fw for 3.55 and a cex fw for 3.55 and note the differences in sprx. Then just add the correct xml keys. For example for ps store add the #seg_commerce_new key to category_psn.xml.

Answer from Mathieulh: You can't play blurays/dvds on 3.60+ DEX because you do not have the keys to craft a custom DEX firmware and the bd/dvd player app will check your console's idps target and see 0x82 and will fail one (of too many) check(s) and will issue an error code and not proceed. (not to mention 0x82 leads to an invalid region) I don't know/care about ps store but as far as I know, the DEX vsh.self will not display it

2) I did, however i can't prove it. Should you cex2dex and have latest dex fw you too will be able to sign in to PSN.

Answer from Mathieulh: You can't because your idps is NOT in sony's database, as such it will not pass PSN authentication, there is nothing you can do to fake this, you would need to use a real debug idps, end of story.

3) Can't comment on that one but would very much like a statement from whoever wrote it.

Answer from Mathieulh: This is obviously not true, however you CAN brick/ylod if you rebuild your EID wrong (the likeliness is high)

4) Do you want a video of it? Use ps3 generator tools to create a master disc or a usb image. Ever wondered what that item labeled Blu-ray Disc Access in Debug Settings did? Now you can find out.

Answer from Mathieulh: The retail selfs are signed with special capabilities that make them only able to run from original discs (Masterdiscs != Original discs, lv2 can tell the difference) That's why you need decrypted selfs/fself to run games from masterdiscs or bdemu images, forget about running your "backups" (or should I say ,warez) Because ps3gen creates masterdiscs does not mean you can magically warez on the box. You can however play originals ! (I strongly advise you to start BUYING your games, (just saying))

5) Can't comment on that one.

Answer from Mathieulh: I can comment that most of your so called affirmations are a bunch of BS. (in fact I just debunked most of them, feel free to try though and see for yourself.)

There's really no way to know if AnoRelease is really the source or a leaker, as other devs in the circle may not know of or agree with his wishes to finally release it which may be why it was done anonymously.

If he is a leaker though, it would be the same as anything that gets leaked from the Rebug PSN passphrase for CFW users to the old R:FoM exploits, it benefits some for a period of time until Sony takes action and the next hole surfaces... although those cashing in on dongles may never admit it, it's called progress and is great for real PS3 scene developers not on the Max Louarn / Paul Owen payroll.